Unser Blog

Giving retailers the finger. And the eye …


12 . Februar  2018

Andy Rowland

Posts nach Autoren: Andy Rowland, Head of Customer Innovation: Energy, Resources and Manufacturing, BT.


What was once science fiction is now science fact: biometric identity verification is fast becoming a day-to-day reality. So what’s in it for retailers?

We’ve all seen the films where someone gets into a secure vault by looking into a lens and having their identity confirmed by retina scan. Or gaining access to a secret government facility by palm print ID.

Of course, the thing about biometric technology is that the inputs are static: fingerprints, iris and retina scans, and vein and vascular patterns never change. There are also solutions that rely on matching behavioural traits with the customer’s baseline, like voice recognition, computer mouse signature (movement, speed, pressure, timing), and keystroke dynamics (speed and timing). Boffins are even experimenting with gait recognition as how you walk is quite distinctive.  

Who are you again?

Why are people developing these systems? Well, one of the security challenges of digital retailing is anonymity, knowing for certain who’s buying something from you. Biometric verification puts an end to that uncertainty (well, kind of, as we’ll see below…), strengthening the retailer’s security.

But with every silver lining, there’s a cloud - new security vulnerabilities. For instance, a BBC reporter recently managed to dupe HSBC’s voice recognition software into thinking they were dealing with his twin. And a German hacking team fooled the Samsung Galaxy S8 iris scanner by printing a photo of the iris and holding it behind a contact lens.

But these are likely just early mishaps on the road to a more secure (and convenient) future.

Will customers buy biometrics?

Biometrics throws up loads of tricky questions: what happens to the data that’s captured. How’s it stored? For how long? Who has access to it? And how do you stop hackers stealing your biometric data?

Luckily, there are some technologies available that can help.

Biometric cryptosystems, for instance, which match incoming data against the baseline within an encrypted domain. There are also private or cancellable biometrics (one-way transformation only), differential privacy systems (biometric data and personal information are always stored separately), and smartcard-secured templates (where control sits with the cardholder, removing the uncertainty of matching through a network-connected device, an external server, or a database).

But perhaps the most significant question is whether customers will be happy to hand over their biometrics to you or not.

I believe the answer will be ‘yes’ but only if we all have complete confidence that our data is secure and will not be used against us.

A token clever idea

And here’s a clever idea that’s still under development: tokens that don’t carry any data.

This works by associating a digital identity to an individual using a token that doesn’t store any data whatsoever (and is therefore useless when it’s lost or has fallen into the wrong hands). The token, programmed to recognise your biometric data, generates a unique key, which it sends to the server where it interfaces with the authentication portal.

And here’s the smart bit. Because there’s no actual physical data stored on the token, your identity stays secure while the other party can verify that it’s really you on the other side.

But, as the security technology and protocols haven’t quite reached maturity yet, I’d recommend taking a blended approach where you use both traditional and biometric verification in tandem. Look at adopting biometrics as a long-term strategy rather than a short-term upgrade.

And, bearing in mind the hefty price tag that comes with biometric systems, think carefully about your fraud-risk tolerance threshold.

Download our white paper, Securing a digital retail enterprise.